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Abstract. We define and study a new abstract domain which is a fine-grained 
combination of zonotopes with polyhedric domains such as the interval, octagon, 
linear templates or polyhedron domain. While abstract transfer functions are still 
rather inexpensive and accurate even for interpreting non-linear computations, we 
are able to also interpret tests (i.e. intersections) efficiently. This fixes a known 
drawback of zonotopic methods, as used for reachability analysis for hybrid sys- 
tems as well as for invariant generation in abstract interpretation: intersection 
of zonotopes are not always zonotopes, and there is not even a best zonotopic 
over-approximation of the intersection. We describe some examples and an im- 
plementation of our method in the APRON library, and discuss some further in- 
teresting combinations of zonotopes with non-linear or non-convex domains such 
as quadratic templates and maxplus polyhedra. 



1 Introduction 

Zonotopic abstractions are known to give fast and accurate over-approximations in in- 
variant synthesis for static analysis of programs, as introduced by the authors ifTOlfTTH Tl. 
as well as in reachability analysis of hybrid systems 10 . The main reason for this is that 
the interpretation of linear assignments is exact and done in linear time in terms of the 
"complexity" of the zonotopes, and non-linear expressions are dynamically linearized 
in a rather inexpensive way, unlike for most of other sub-polyhedric domains (zones 
11191 , linear templates |2TI . even polyhedra [6]). But unions, at the exception of recent 
work [ 14], and more particularly intersections [9| are not canonical operations, and are 
generally computed using approximate and costly methods, contrarily to the other do- 
mains we mentioned. We present in this article a way to combine the best of the two 
worlds: by constructing a form of logical product ifTSIl of zonotopes with any of these 
sub-polyhedric domains, we still get accurate and inexpensive methods to deal with 
the interpretation of linear and non-linear assignments, while intersections in particular, 
come clean thanks to the sub-polyhedric component of the domain. 

Consider for instance the following program (loosely based on non-linear interpo- 
lation methods in e.g. embedded systems), which will be our running example: 



real x = 


[0,10]; 






real y = 


x*x — x ; 






if (y >= 


0) y = x/10; 


/* 


( x=0 or x >= 1 ) and y in [0,1] */ 


else y = 


x*x + 2 ; 


/* 


( x>0 and x<l) and y in [2,3] */ 



As indicated in the comments of the program, the i f branch is taken when we have 
x = or x > 1, so that y at the end of the program, is always in [0, 3]. Although 
this program looks quite simple, it is difficult to analyze and the invariants found for y 
at the end of the program by classical domain^] are disappointing: intervals, octagons, 
polyhedra, or zonotopes without constraint all find a range of value for y larger or equal 
to [0, 102]: even those who interpret quite accurately non-linear operations are not able 
to derive a constraint on x from the constraint on y. Whereas by the method proposed 
here, a logical product of zonotopes with intervals, in its APRON implementation, we 
find the much better range [0, 9.72] (instead of the exact result [0, 3]). 



Contents of the paper We first introduce in Section [2] affine sets, a zonotopic abstract 
domain for abstract interpretation, that abstracts input/output relations in a program. 
We then introduce the problem of computing intersections in Section [3j starting with 
the running example, we define constrained affine sets as the combination of zonotopes 
with polyhedric domains and show they are well suited for the interpretation of tests. We 
then generalize the order on affine sets to constrained affine sets and define monotonic 
abstract transfer functions for arithmetic operators, that over-approximate the concrete 
semantics. Section|4]completes the definition of this new abstract domain: starting with 
the easier "one-variable" problem, we then give an algorithm for computing a join oper- 
ator. We demonstrate the interest of the domain by describing in Section[5]the results on 
some examples, based on an implementation of our method in the library APRON. We 
conclude by a discussion of future work, including some further interesting combina- 
tions of zonotopes with non-linear or non-convex domains such as quadratic templates 
and maxplus polyhedra. 

Related work In ifTTl . the authors propose an approach based on a reduced product |5 1, 
to get more tractable and efficient methods for deriving sub-polyhedric invariants. But, 
still, the reduction algorithm of IfTTl is fairly expensive, and this domain also suffers 
from the drawbacks of polyhedra, in the sense that it is not well suited for efficiently 
and precisely deriving invariants for non-linear computations. Logical products in ab- 
stract interpretation are defined in [ 15]. The authors use the Nelson-Oppen combination 
method for logical theories, in the convex case, to get polynomial time abstractions on 
a much finer (than classical reduced products) combination of two abstract domains. As 
explained in Section [J!2l this approach does not directly carry over our case, because the 
theories we want to combine do not satisfy all the hypotheses of lfT5l . We thus choose 
in this paper a direct approach to the logical product of zonotopes with other classical 
abstract domains. 

2 Affine sets: main definitions and properties 
2.1 Affine arithmetic and zonotopes 

Affine arithmetic is an extension of interval arithmetic on affine forms, first introduced 
in (4), that takes into account affine correlations between variables. An affine form is a 

1 The experiments were carried out using the domains interfaced within APRON |20|. 



formal sum over a set of noise symbols £j 



def 



with af S M for all i. Each noise symbol £j stands for an independent component 
of the total uncertainty on the quantity x, its value is unknown but bounded in [-1,1]; 
the corresponding coefficient af is a known real value, which gives the magnitude of 
that component. The same noise symbol can be shared by several quantities, indicating 
correlations among them. These noise symbols can not only model uncertainty in data 
or parameters, but also uncertainty coming from computation. The semantics of affine 
operations is straightforward, non affine operations are linearized and introduce a new 
noise symbol: we refer the reader to ATI [131 for more details. 

In what follows, we introduce matrix notations to handle tuples of affine forms. We 
note A4(n,p) the space of matrices with n lines and p columns of real coefficients. 
A tuple of affine forms expressing the set of values taken by p variables over n noise 
symbols e,, 1 < i < n, can be represented by a matrix A E A4 (n + 1 , p) . We formally 
define the zonotopic concretization of such tuples by : 

Definition 1. Let a tuple of affine forms with p variables over n noise symbols, defined 
by a matrix A E A4(n + l,p). Its concretization is the zonotope 



1 (A) = { t A t e\ee R nJ> 
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2.2 An ordered structure: affine sets 

In order to construct an ordered structure preserving abstract input/output relations [ 14 1, 
we now define affine sets X as Minkowski sums of a central zonotope, r )(C x ) and of 
a perturbation zonotope centered on 0, ^f(P x ). Central zonotopes depend on central 
noise symbols £j, whose interpretation is fixed once and for all in the whole program: 
they represent the uncertainty on input values to the program, with which we want 
to keep as many relations as possible. Perturbation zonotopes depend on perturbation 
symbols r/j which are created along the interpretation of the program and represent the 
uncertainty of values due to the control-flow abstraction, for instance while computing 
the join of two abstract values. 

Definition 2. We define an affine set X by the pair of matrices 
(C X ,P X ) eM(n+l,p)xM(m,p). The affine form K k {X) = c x k + £" =1 eft* + 
Ej=i PfkVj' where the Si are the central noise symbols and the r/j the perturbation or 
union noise symbols, describes the kth variable of X. 



We define an order on affine sets (7][l4) which is slightly more strict than concretiza- 
tion inclusion: it formalizes the fact that the central symbols have a specific interpre- 
tation as parametrizing the initial values of input arguments to the analyzed program: 

Definition3. Let X = (C x ,P X ),Y = (C Y ,P Y ) be two affine sets in M(n+l,p) X 
M(m,p). We say that X <Y iff 

\tu e W, \\(C Y - C x )u||i < ||P r u||i - ||P x m||i . 

It expresses that the norm of the difference (C Y — C x )u for all u G W is less than 
what the perturbation terms P x and P Y allow, that is the difference of the norms of 
P Y u with P x u. 

The binary relation < of Definition [3] is a preorder, that we identify in the sequel 
with the partial order, quotient of this preorder by the equivalence relatior0 X ~ Y iff 
by definition X < Y and Y < X. Note also that this partial order is decidable, with a 
complexity bounded by a polynomial in p and an exponential in n + to. In practise, see 
fl4l . we do not need to use this costly general decision procedure. 

3 Constrained affine sets for intersection 

As discussed in 1131 . we can define an efficient join operator of two affine sets, but no 
satisfying meet operator. We now describe a logical product approach to interpret tests 
by adding constraints in an abstract domain over the noise symbols £{, We first present 
the interpretation of tests, before other abstract transfer function, since this is the point 
that motivates the introduction of this new domain. 

Take for example the running example. Before the test if (y >= ) , we have 
x = 5 + be i and, using the multiplication on affine forms as defined in Section [331 
y = 32.5 + 45ei + 12.5e 2 , with e x G [-1, 1] and e 2 <E [-1, 1]. In the abstract value 
associated with the true branch is added the abstraction of the constraint 32.5+45ei + 
12.5E2 > 0. Here, in intervals, it does not generate any additional constraint but it would 
in a relational domain. In the falsebranch, the abstraction of 32. 5+45ei+12.5e2 < 
is added, which generates constraint e% < —0.444: we thus infer that x is bounded by 
[0, 2.77] in this branch. 

We now introduce the logical product of the domain Ai of Section [2] with any 
lattice, (A2, <2j U2, 02), used to abstract the values of the noise symbols Ei and rjj. 
Formally, supposing that we have n + 1 noise symbols Si and to noise symbols rjj as 
in Section l2~2l we are given a concretization function: 72 : A2 — >• P({1} x K™ x R m ) 
and pseudo-inverse «2- We now define constrained affine sets: 

Definition 4. A constrained affine set U is a pair U = (X, (p x ) where X — (C x ,P X ) 
is an affine set, and <P X is an element of A2- Equivalently, we write U — (C , P x , <P X ). 

Classical abstractions of "constraints" on the e\ we will be using throughout this 
text are A consisting of products of 1 + n + to intervals (with the first one always being 
equal to 1), zones, octagons, and polyhedra (in the hyperplane e = 1)- 

2 It can be characterized by C x = C Y and same concretizations for P x and P Y . 



3.1 Interpretation of tests 



Equality tests on variables We first consider the case of the interpretation of equality 
test of two variables within an abstract state. Let us begin by a motivating example, 
which will make clear what the general interpretation of Definition[5]should be. 

Example 1. Consider, with an interval domain for the noise symbols, Z = \x\ == 
x-2~\X where 

'^ = lx [-1,1] x [-1,1] x [-1,1] 
x x =4 + e 1 +e 2 + 7ji, 7(^1) = [1,7] 
= -£1 + 3e 2 , 7(^2) = [-4,4] 

We look for z = X\ = i 2 , with z = zq + z\S\ + z 2 e 2 + £3771. Using x\ — i 2 = 0, i.e. 

4 + 2 £l -2e 2 + Vl = 0, (1) 

and substituting 771 in z — x\ = 0, we deduce zq — Az%, z\ — 2z% — 1, z 2 = — 2z^ + 3. 
The abstraction in intervals of constraint (Q~|) yields tighter bounds on the noise symbols: 
# z = 1 x [—1, —0.5] x [0.5, 1] x [—1, 0]. We now look for Z3 that minimizes the width 
of the concretization of z, that is 0.5|2z3 — 1| + 0.5 1 3 — 2z^\ + 23 1. A straightforward 
0((m + n) 2 ) method to solve the problem evaluates this expression for Z3 successively 
equal to 0, 0.5 and 1.5: the minimum is reached for Z3 = 0.5. We then have 

<P Z = lx [-1, -0.5] x [0.5, 1] x [-1, 0] 



x 



z (=z) = 2 + 2e 2 + 0.5m, 7(*f ) = 7@2 ) = t 2 - 5 > 4 ] 



Note that the concretization j(x z ) = 7(2:2 ) i s not onr y better than the intersection of 
the concretizations 7(i^) and 7 (if) which is [1,4], but also better than the intersection 
of the concretization of affine forms (x x ) and (x 2 ) for noise symbols in $> z . Note that 
there is not always a unique solution minimizing the width of the concretization. 

In the general case, noting in bold letters the interval concretization of noise symbols: 

Definition5. Let X = (C x ,P X ,<P X ) a constrained affine set with (C X ,P X ) G 
M(n + l,p) x M(m,p). We define Z — \x == XijX by: 

-$ z = $ x f)a 2 ({{ex, . . . ,e n , m , . . . ,T] m ) | (o§ - 4) + E?=i( c * ~ C ri) s r+ 

E™i(p$-PhK = o}), 

- c h =c ri! Vr G {0, ••-,«}) andVl e {l,...,p},l 
-P?i =Pri^ r e {!>• ■ -: m } andMl G {1, . . . / ^ 
Let k such that cjfj — c x t 7^ 0, we define 



X . Ij Hi 1 Z X 



n X n X 

c kj c ki 



(c^-4)V/G{0,...,n}, l^k, (2) 



Pli=Pl j =Pu + Pl x~ P x ^l - 4) V/ G {1, . . . , m}, (3) 



c kj ^ki 



with cfj that minimizes Ej=i \ c h \ dev(ef) + Y^iL\ \Pu \ dev(rjj Z ). 



This expresses that the abstraction of the constraint on the noise symbols induced by 
the test is added to the domain of constraints, and the exact constraint is used to define 
an affine form z satisfying z — x z — xf , and such that 7(2:) is minimal. Indeed, let k 
such that c X j — ^ 0, then xj == Xi allows to express Ek as 

x x , ( c ij ~ c u) sr^ (Pij ~ Ph) ... 

£k = c x -c x + ^ > _ e, + ^ J_ m . (4) 

\<l<n,l^k fe « k 3 l<l<m kl k 3 

We now look for ni(Z) = Tfj(Z) equal to Ki(X) and TTj(X) under condition on 
the noise symbols. Substituting Ek in for example Ki(Z) = iTi(X), we can express, for 
all /, cfj and p z as functions of c£ and get possibly an infinite number of solutions 
defined by (01 and (01 that are all equivalent when (@]i holds. When condition (@]i will be 
abstracted in a noise symbols abstract domain such as intervals, these abstract solutions 
will no longer be equivalent, we choose the one that minimizes the width of y(iri(Z)) 
which is given by Y^i=i \ c u \ dev(ef) + J2"Li \Pu\ dev(rjj Z ). This sum is of the form 
2l=i l a ' + ^ c fJ' w i m known constants a; and bi. The minimization problem can 
be efficiently solved in 0((m + n)log(m + n)) time, m + n being the number of 
noise symbols appearing in the expressions of Xi and Xj, by noting that the minimum is 
reached for cj^ = — ^ for a Iq 6 {1, . . . , m + n}. When it is reached for two indexes 

l p and l q , it is reached for all in [— , but we choose one of the bounds 

of this intervals because it corresponds to the substitution in xf of one of the noise 
symbols, and is in the interest for the interpretation of tests on expressions. 



Equality tests on expressions Now, in the case of an equality test between arithmetic 
expressions, new constraints on the noise symbols can be added, corresponding to the 
equality of the two expressions interpreted as affine forms. We also choose new affine 
forms for variables appearing in the equality test: let X = (C x , P x , <P X ) a constrained 
affine set with (C x ,P X ) £ M(n + l,p) x M(m,p). We define Z = \expl == 
exp2]X by: Y\ — \x p +\ — expl\\x p +2 = exp2]X using the semantics for arithmetic 
operations, as defined in section l331 then Y2 = \x P +i == x P +2]Yi. Noting that one of 
the noise symbols appearing in the constraint introduced by the equality test, does not 
appear in x^^ = x£+ 2 as computed by Definition[5] using this constraint we substitute 
this noise symbol in the other variables in Y%, We then eliminate the added variables 
x p+ i and x p+ 2 to obtain Z, in which expl == exp2 is thus algebraically satisfied. 

Example 2. Consider Z = \x\ + X2 == X3JX where 

1 X [-1,1] X [-1,1] X [-1,1] 

2 + £l , 7 (<ci) = [1,3] 
2 + e 2 + Vu 7(^2) = [0,4] 
-ei + 3e 2 , 7(^3) = [-4,4] 

We first compute X4 := x\ + X2 in affine arithmetic: here, problem X4 == x% is then 
the test we solved in example Q] The abstraction in intervals of constraint ([T} yields 
<P Z = 1 x [—1, —0.5] x [0.5, 1] x [—1, 0], and an affine form optimal in the sense of 




the width of its concretization, x z = 2 + 2e2 + 0.5r]i. Now, x x + x x = xf is satisfied 
when constraint (Q]i holds exactly, but not in its interval abstraction <P Z . But substituting 
e\ which does not appear in xf by — 2 + £2 — 0.5?7i in i x and x x , we obtain forms 
xf and xf that satisfy x\ + x% == X3 in the abstract domain: 



Inequality tests In the case of inequality tests, we only add constraints on noise sym- 
bols, for example for strict inequality: 



Definition 6. Let X = (C x 7 P X ,<P X ) a constrained affine set with (C X ,P X ) £ 
M(n + l,p) x M(m,p). We define Z = [expl < exp2\X by Z = {C X ,P X ^ Z ): 
<P Z =^ x f]a 2 ({(e 1 ,...,s n ,r ]1 ,...,r lm ) | (c^ +2 - c^ +1 )+ 



where Y = [x p +i = expl][x p +2 = exp2\X. 
3.2 Order relation 

In a standard reduced product (5) of A\ with Ai, the order relation would naturally 
be based on the component-wise ordering. But in such products, we cannot possibly 
reduce the abstract values so that to gain as much collaboration as needed between A\ 
and A2 for giving formal grounds to the reasoning of Example Q] for instance. What 
we really need is to combine the logical theories of affine sets, Th{A\ with the one 
of quantifier- free linear arithmetic [ 18 1 over the reals, , Th(A 2 % including all the do- 
mains we have in mind in this paper (intervals, zones, octagons, linear and non-linear 
templates, polyhedra). Look back at Example [T] we found a solution to the constraint 
x\ =— X2 via a fine-grained interaction between the two theories Th(A\) and Th(A2)- 
Unfortunately, the methods of [15| are not directly applicable; in particular A\ is not 
naturally expressible as a logical lattice - it is not even a lattice in general. Also, the 
signatures Sj, 1 and Uj[ 2 share common symbols, which is not allowed in the approach 



In order to compute the abstract transfer functions in the logical product Th(Ai) U 
Th(A2), we first define an order relation on the product domain A\ x A2, that al- 
lows a fine interaction between the two domains. First, X = (C x , P x ,@ x ) < Y = 
(C Y , P Y , <P Y ) should imply that <P X <2 ' , i.e. the range of values that noise sym- 
bols can take in form X is smaller than for Y, Then, we mean to adapt Definition |3]for 
noise symbols no longer defined in [—1,1] as in the unconstrained case, but in the range 
of values <P X common to X and Y. Noting that: 



< 




1 x [-1,-0.5] x [0.5,1] x [-1,0] 
£2-0.5771, 7 (xi) = [0.5,1.5] 

2 + £2+771, 7(^2) - [1.5,3] 

2 + 2e 2 + O.5771, 7 (xf) = 7 (xf) = [2.5,4 




of 1 15 1. 



||C x w[[i= sup \(e,C x u) 



3 Signature comprises equality, addition, multiplication by real numbers and real numbers. 

4 Signature Sa 2 comprises Sa\ plus inequality and negation 



where (., .) is the standard scalar product of vectors in R" +1 , we set: 

Definition 7. Let X and Y be two constrained affine sets. We say that X < Y iff 
$X < 2 <pY anc iJ or all t G W, 

sup \((C Y - C x )t,e)\ < sup \(P Y t,r]}\- sup \(P x t,r))\ . 

The binary relation defined in Definition Q is a preorder on constrained affine sets 
which coincides with Definition [3] in the "unconstrained" case when <P X = <P Y = 
{1} x [—1, l]"+ m . We use in the sequel its quotient by its equivalence relation, i.e. the 
partial order generated by it. 

Definition 8. Let X be a constrained affine set. Its concretization in V(W) is 
7 (X) = { t C X £ + *P x r,|e 4 ,^e 72 (<P x )} . 

For <P X such that 72(^ x ) = {1} X [—1, l] Tl+m , this is equivalent to the concretiza- 
tion of the affine set (C x , P x ) as defined in Section [2721 As for affine sets [14|, the 
order relation of Definition [7] is stronger than the geometric order: if X < Y then 
~f(X) C j(Y). This allows for expressing functional dependencies between the input 
and current values of each variables as discussed in lTT4l . 

Note that 7 is in general computable. In case A is a sub-polyhedric domain, such 
as intervals, zones, octagons, linear templates and polyhedra, 7 can be computed using 
any (guaranteed) solver for linear programs such as LURUPA [16], since computing 7 
involves two linear programs: 

sup f x e + *P x r?, and inf ^t + ^i). 



3.3 Semantics of arithmetic operations 



Operations are not different than the ones generally defined on zonotopes, or on affine 
forms, see PI [Mil , the only difference is in the multiplication where we use the con- 
straints on ei and ijj to derive bounds for the non-linear part. 

We note [new e n+ il_A 2 <P x the creation of a new noise symbol e„ + i with (concrete) 
values in [—1, 1]. We first define the assignment of a new variable x p+ \ with a range of 
value [a,b]: 

Definition^ Let X = (C x 1 P X ,<P X ) be a constrained affine set with (C X ,P X ) G 

[xp+i = [a, b]jX where 
: {new e n+1 ] M $ x , C z = 



M.{n + l,p) x M.{m,p) and a,b G M. We define Z 



(C Z ,P Z ) G M(n + 2,p+l 


) x M(m,p+ 1) with 


( 

















C x 




pZ = IpX 














V 



7 



We carry on by addition, or more precisely, the operation interpreting the assign- 



ment x 



P+i 



and adding new variable x p +i to the affine set: 



Definition 10. Let X = (C x ,P X ,<P X ) be a constrained affine set where (C X ,P X ) 
is in M(n + l,p) x M(m,p). We define Z = \x p+ i = x { + XjjX = (C Z ,P Z ,<P Z ) 
where (C Z ,P Z ) e M(n + l,p+ 1) x M(m,p + 1) by <P Z = @ x and 



C z = C 



x 











c x - 


L r X ■ 







and P z =\ P x 



Pm,i Pm,j 



The following operation defines the multiplication of variables X{ and Xj, appending 
the result to the constrained affine setX. All polynomial assignments can be defined 
using this and the previous operations. 

Definition 11. Let X = (C x , P x , <P X ) be a constrained affine set where (C x ,P X ) 
is in M(n + l,p) x M(m,p). We define Z = (C z ,P Z ,<P Z ) = {x p+ i = x t x XjjX 
where {C z ,P z )eM( n + 2,p+l) x M (m + 1 , p + 1) by : 

- @ z = \newe n+ i\ A2 o {new T] m+1 j A2 <P x 

- c\ k = cf k and c^ +1 k — Ofor all I — 0, ... ,n and k = 1, . . . ,p 

- Let m r ( resp. fi r ) be the (r+l)th coordinate ( i.e. corresponding to e r ) ofmid(-f(<P x )) 
( resp. o/dev (7 (<P X ) ) ), where mid ( resp. dev ) denotes the middle ( resp. the radius ) 
of an interval, qi (resp. xi) be the (I + n + l)th coordinate (i.e. corresponding to 
rji) ofmid(j(<P x j) (resp. of dev( 7 (<£ x ))J. Write df = + Y,i< r <n c r,i m r + 

C 0,p+1 = d ? d j ' El<r<«( d f C rJ + d ^ C r,i) m r - E,l<l<m( d iPl,j + d iPl t )<ll + 
El<Kn 2 C r,i C r,j m r + El<Kra iPl^Pl.j^l 

- c tp+i = d l c li + ' / ;./'"- alfl = l,...,n 

~ c n+l,p+l ~ El<Kn 2 \ < ^r,i C r,j\l J 'r + El<r^Kn \ c r,i c l ,j l^rl^-l 

- Pi,k =Pi,k- Pm+i.k = Qand Pi, P +i = 0, for all I = l,...,mandk = l,...,p 

~ Pm+l,p+l — J2l<l<m \Pf,iPl,j\Xl +5El<r^/<m \Pr,iPl,j I XrXl + Eo<r<n (\ C r,iPl,j I 
+ \PliCr, 3 \)HrXl- 

The correctness of this abstract semantics stems from the fact that these operations are 
increasing functions over the set of constrained affine sets. For sub-polyhedric domains 
A2, m r , qi, /i r and \i are easily computable, solving with a guaranteed linear solver 
the four linear programming problems sup e t?£7 ( S ,x) e r (resp. inf) and sup c ne ^^x) t]i 
(resp. inf) - for an interval domain for A2, no such computation is needed of course. 

Getting back to the running example of Section [1] in the false branch of the 
if (y>=0) test, we have to compute y = x * x + 2 with x = 5 + 5ei and e\ € 
[—1, —0.444]. Using Definition [TTI which takes advantage of the bounds on E\ to get 
a better bound on the non-linear part (typically not possible if we had constructed a 
reduced product), we get y = 14.93 + 13.9ei + 0.9663 with £3 £ [—1, 1]. This gives 
7(2/) — [0.07,9.72], which is very precise since 7(2;) = [0,2.77], hence we should 
ideally find j(y) in j(x) * 7(2;) + 2 = [2,9.72]. Note that the multiplication given 
in Definition QT| and used here, is not the direct adaptation of the multiplication in 
the unconstrained case, that would give the much less accurate form y = 41.97 + 
50ei + 10.03E3: the better formulation is obtained by choosing an affine form that is a 
linearization of xi x xj non longer at 0, but at the center of the range of the constrained 
noise symbols. 



4 Join operator on constrained affine sets 



We first examine the easier case of finding a join operator for affine sets with just one 
variable, and A% being the lattice of intervals. We then use the characterisations we 
find in this case to give efficient formulas for a precise (although over-approximated) 
join operator in the general case. We do not study here maximal lower bounds of affine 
sets, although they are naturally linked to the interpretation of tests, Section [XT] this is 
outside the scope of this paper. 

4.1 The one-dimensional case 

In dimension one, constrained affine sets are simply constrained affine forms: 

n 

a= (a(e) = ag + 5>? ei , (3 a , <P a ), 

1 

where e = (ej., . . . , e n )* belongs to <P a , and j3 a is non negative. We use the bold face 
notation, e™, to denote the interval concretization of ej. Let a and 6 be two constrained 
affine forms. Then a < b in the sense of Definition [7] if and only if 

1 sup ee<p „ - b(e) \ < (3 b - (3 a 

In general, there is no least upper bound for two constrained affine forms, but rather, as 
already noted in the unconstrained case |fl3l 1141 . minimal upper bounds. A sufficient 
conditions for c to be a minimal upper bound is to enforce a minimal concretization, 
that is, 7(c) = 7(a) U 7(6), and then minimize /3 C among upper bounds with this 
concretization. 

Algorithm Q] computes this particular mub in some cases (when the first return 
branch is taken), and else an upper bound with minimal interval concretisation. Let us 
introduce the following notion used in the algorithm: let i and j be two intervals; i and 
j are said to be in generic position if (i C j or j C i) imply (sup(i) = sup(j) or 
inf(i) = inf(j)). We say by extension that two affine forms are in generic position if 
their interval concretisations are in generic position. The join algorithm is similar to the 
formula in the unconstrained case described in T\Aj except we have to be cautious about 
the relative position of the ranges of noise symbols. 

Example 3. To complete the analysis of the running example of Section [T] the join of 
the abstract values for y on the two branches must be computed: 

[r = lx [-1, 1] x [-1, 1] x [-1, 1] r <£ b = 1 x [-1, -0.444] x [-1, 1] x [-1, 1] 
< a = 0.5 + 0.5ei < b = 14.93395 + 13.9ei + 0.96605e 3 

[ 7(a) = [0, 1] [ 7(6) = [0.0679, 9.7284] 

a and b are in generic positions, and so are e° and e\, but condition mid(e^) > 
mid(e™ U e^) is not satisfied, so that the join gives the following minimal upper bound: 

U c = lx [-1,1] X [-1,1] X [-1,1] 

\ c = 4.8642 + 4.8642771, 7(c) = [0, 9.7284] 



Algorithm 1: Join of two constrained affine forms 



if a and b are in generic position then 

if mid(7(&)) < mid(7(5)) then swap a and b. 
for i > 1 do 

at <— 

if e" and e| are in generic position then 
if a? > and a\ > then 

if mid(e") < mid(e; U e£) and mid(e-) > mid(e" U ef) then 
|_ a| < — min(a£,a£) 

if at < and a* < then 

if mid(e?) > mid(ef U e£) and mid(ej) < mid(e? U 4) then 
|_ q- < — max(a°,a-) 

if < EILi a£(mid(e? U e\) - mid(e?)) < mid( 7 (a) U 7(6)) - mid( 7 (a)) and 
mid(7(a) U 7(6)) - mid(7(6)) < £™ =1 <(mid(e? U e£) - mid(ej)) < then 

pc dev ( 7 (a) u 7(6)) - Eti K I dev ( c i u e ?) 

Qg «— mid( 7 (a) U 7(6)) - E"=i Q * mid « U ej) 

return (ag, af, a£, / 3 t ') /* mub */ 

/3 C < — dev(7(a) U 7 (6)),ag < — mid( 7 (a) U 7(6)), return (ag, /3 C ) /* ub */ 



Example 4. Let us now consider a second example: 

[ r = 1 x [-1, 0] x [-1, 1] f <2> b = 1 x [-1, 1] x [0, 0.5] 

\ a = 1 + 2e x - £ 2 , 7(a) = [-2, 2] \ 6 = 4 + 3ei - £2, 7(6) = [-2, 7] 

a and b are in generic positions, as well as ef and e\, while £3 and £2 are n °t; the join 
gives the following minimal upper bound: 

( <P C = 1 x [-1, 1] x [-1, 1] x [-1, 1] 
\c=§ + 2£ 1 + §r ?1 , 7 (c) = [-2,7] 

4.2 Join operator in the general case 

As in the unconstrained case [14], mubs for the global order on constrained affine sets 
are difficult to characterize. Instead of doing so, we choose in this paper to describe a 
simple yet efficient way of computing a good over-approximation of such mubs, relying 
on Algorithm 1 for mubs with minimal concretisation for constrained affine forms. 

First, we need two new operators . To each constrained affine set A" = ( C x , P x , <1> X ) , 
where (C x ,P X ) G M(n + l,p) x A4(m,p), and for each fc = 1, . . . ,p, we associate 
the constrained affine form 

(n m \ 

i=l j=l ' 



Basically, \ k X takes the fcth column of X (i.e. considers only the fcth variable of 
the environment) and treats the perturbation symbols r)j as central symbols (like the 
ej). Conversely, to each set of p constrained affine forms A = (dk)k with dk — 
{cto,k + 2<Li °ti,k£i, /3fc,^) (with the same <P, and k = 1, . . . ,p), we associate the 
constrained affine form ? l A = (C, P, <P) with (C, P) 6 M(l + l,p) x M(n- l + p,p) 
and a_k = Oii t k, i = 0, . . . , I and k = 1, . . . ,p; p 3 -i,k = <Xj-i,k> j = / + 1, . . . ,n and 
fc = 1, . . . ,p; Pn-i+k.k = Pk> k — 1, . . . ,p, the rest being equal to zero. 

This operator basically embeds a set of p constrained affine forms with the same 
constraint on the noise symbols, into a constraint affine set such that symbols ej up to 
I are considered as central noise symbols, whereas further symbols are considered as 
perturbation noise symbols; and the perturbation term of each constrained affine form 
is considered to create a new independent perturbation noise symbols (hence creating p 
new perturbation noise symbols in l l A). 

Definition 12. Let X = (C x , P x , $ x ) and Y = (C Y , P Y , $ Y ) be two constrained 
affine sets with (C x ,P X ) and (C Y ,P Y ) in M(n + l,p) x M(m,p). We define 

J(X,Y) =?" (\ k (C x ,P x ,$ x U<P y )V! fc (C y ,F y ,<P x U$ Y )) 1<k<p 

the join of X and Y. It defines an upper bound of X and Y. 

Example 5. Consider, for all noise symbols in [—1,1], constrained affine sets X defined 
by x\ = 1 + £i, x 2 = 1 + £2, and yi = 1 + r)\, y% = 1 + 771 . Considering first the 
ID cases, we have x\ < y\ and X2 < J/2- However we do not have X < Y for the 
global order of Definition [7] but we have X < Z with Z defined by z\ = 1 + t]\ and 
Z2 = 1 + r]2, constructed with the ? operator. 

5 Experiments 

In this section, we compare results^ we obtain with our new domain, called constrained 
T1+, in its APRON implementation, with the octagon and polyhedron APRON do- 
mains, the unconstrained Tl+[7|, and the result given by our FLUCTUAT analyzer 
on the real value of variables. FLUCTUAT implementing a reduced product of affine 
sets with intervals, this comparison demonstrates the interest of the logical product ap- 
proach, with respect to a classical product. Our constrained T1+ implementation allows 
to choose as a parameter of the analysis, the APRON domain we want to use to abstract 
the constraints on noise symbols. However, at this stage, conditionals are interpreted 
only for the interval domain, we thus present results for this domain only. 

Table Q] shows the numerical range of a variable of interest of each test case and for 
each domain, after giving the exact range we would hope to find. interQl combines 
linear tests with quadratic expressions, only constrained T 1 + finds the right upper bound 
of the invariant. Cosine is a piecewise 3rd order polynomial interpolation of the cosine 
function: once again, only constrained T1+ finds the exact invariant. InterL2 (resp. 
InterQ2) computes a piecewise affine (resp. quadratic) function of the input, then 
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Table 1. Comparison of Constrained T1+ with APRON's abstract domains 





Exact 


Octagons 


Polyhedra 


T1 + 


Fluctuat 


Constr. T1+ 


InterQl 


[0, 1875] 


[-3750, 6093] 


[-2578, 4687] 


[-2e6, 5e6] 


[0, 2500] 


[-312, 1875] 


Cosine 


[-1,1] 


[-1.50,1.0] 


[-1.50, 1.0] 


[-4.43,4.71] 


[-1.073, 1] 


[-1,1] 


ItvPoly 


x > 3 


x > -2.21 


x > -2 


top 


x > -2 


x > -2 


InterL2 


{0.1} 


[-1,1] 


[0.1,0.4] 


[-1,1] 


[-1,1] 


[0.1,1] 


InterQ2 


{0.36} 


[-1,1] 


[-0.8, 1] 


[-1,1] 


[-1,1] 


[-0.8, 1] 



focuses on the inverse image of 1 by this function. Note that our domain scales up 
well, as was the case with Taylorl+ (see (7 1 for benchmarks) while giving results that 
are often better than all the other domains presented here. As a matter of fact, for an 
interval domain for the noise symbols, all abstract transfer functions are linear or at 
worst quadratic in the number of noise symbols appearing in the affine forms. Moreover, 
the superiority of the logical product approach over the reduced product (FLUCTUAT) 
is clearly demonstrated. 

6 Conclusion, and future work 

In this paper, we studied the logical product of the domain of affine sets with sub- 
polyhedric domains on noise symbols, although the framework as described here is 
much more general. We concentrated on such abstract domains for A for practical rea- 
sons, in order to have actual algorithms to compute the abstract transfer functions. 

However, in some embedded control systems, quadratic constraints appear already 
on the set of initial values to be treated by the control program, or as a necessary con- 
dition for behaving well, numerically speaking. For example in [3 |, as in a large class 
of navigation systems, the control program manipulates normalized quaternions, that 
describe the current position in 3D, of an aircraft, missile, rocket etc. We think that a 
combination of zonotopes with quadratic templates [ 1| in the lines of this article would 
be of interest to analyze these programs. 

Also, as noticed in [2], maxplus polyhedra encompass a large subclass of disjunc- 
tions of zones; hence, by combining it with affine sets, we get another rather inexpensive 
way to derive a partially disjunctive analysis from affine forms (another with respect to 
the ideas presented in |[T3l ). 

Another future line of work is to combine the ideas of this paper with the ones of 
|[T2l to get better under-approximation methods in static analysis. 
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